What authority is necessary for a helpdesk person to be able to remove suspends and reset passwords?

Document ID : KB000045837
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

What authority is necessary for a helpdesk person to be able to remove suspends and reset passwords?

 

Answer:

When a user gets VTHRESH (suspended due to violations) or PTHRESH (suspended due to too many incorrect password violations), then the helpdesk needs to unsuspend them and if PTHRESH then also replace the password.    

Helpdesk personnel should be given MISC8(PWMAINT) authority. This limits the ability to only replacing passwords or removing suspends. This will allow the use of the PASSWORD keyword on any command, or the SUSPEND keyword on the REMOVE command.

 

If an administrator deliberately suspends an acid, which is called ASUSPEND, then the helpdesk will not be able to override the administrators suspend. They would need the MISC8(ASUSPEND) authority to override an administrative (ASUSPEND) suspend.

You do not want to give helpdesk personnel ACID(MAINTAIN) or MISC1(SUSPEND).  This gives too much authority.

You do need to make helpdesk personnel SCAs so that they are not limited to acids within their scope.  This is not a problem because an SCA doesn't have any special authority.  All authority has to be granted to them.